How to generate SSL for Apache Server using Let’s Encrypt

Where necessary, you may need to have access to a VPS server so you can follow how to implement the steps in this article.  You can get a cheaper VPS Server from Contabo with 4vCPU cores, 8GM RAM, and 32TB Bandwidth for less than $5.50 per month. Get this deal here now

Table of Contents

Cloud VPS S

$5.50 Monthly
  • 4 vCPU Cores | 8GB RAM


$15.50 Monthly
  • 6 vCPU Cores | 16GB RAM


$17.50 Monthly
  • 8 vCPU Cores | 24GB RAM

To generate an SSL certificate for an Apache server using Let’s Encrypt, you can use the Certbot tool, which is a free, automated, and open Certificate Authority. Here are the general steps:

Step 1: Install Certbot

Make sure you have Certbot installed on your server. You can typically install Certbot using the package manager for your operating system. For example, on Ubuntu, you can use the following commands:

sudo apt update
sudo apt install certbot

Step 2: Obtain a Certificate

Run Certbot to obtain a new SSL certificate for your Apache server. The certonly option is used to obtain the certificate without installing it.

sudo certbot certonly --apache

Certbot will prompt you for some information, such as your domain name and email address. After providing the necessary information, Certbot will communicate with the Let’s Encrypt server, perform domain validation, and generate the SSL certificate.

Here is a sample output of the above command:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1]: 1

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for
Waiting for verification...
Cleaning up challenges

 - Congratulations! Your certificate and chain have been saved at:
   Your key file has been saved at:
   Your cert will expire on YYYY-MM-DD. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:
   Donating to EFF:          

Step 3: Configure Apache to Use SSL

Once you have obtained the certificate, you need to configure Apache to use it. Edit your Apache configuration file to include the SSL certificate and key.

sudo nano /etc/apache2/sites-available/your-site.conf

Add the following lines to the VirtualHost section, replacing with your actual domain:

<VirtualHost *:443>
    DocumentRoot /var/www/html

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/
    SSLCertificateKeyFile /etc/letsencrypt/live/
    SSLCertificateChainFile /etc/letsencrypt/live/

    # Other SSL configurations (optional)


Implement HTTPS Redirection

To enforce HTTPS redirection for all versions of your site, you can add an additional <VirtualHost> block for port 80 (HTTP) that redirects to the HTTPS version. Here’s an example configuration for Apache:

<VirtualHost *:80>
    DocumentRoot /var/www/html

    # Redirect all HTTP traffic to HTTPS
    Redirect permanent /

    # Other configurations (if needed)


<VirtualHost *:443>
    DocumentRoot /var/www/html

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/
    SSLCertificateKeyFile /etc/letsencrypt/live/
    SSLCertificateChainFile /etc/letsencrypt/live/

    # Other SSL configurations (optional)


In this configuration:

  • The first <VirtualHost> block listens on port 80 and includes a Redirect directive to permanently redirect all HTTP traffic to the HTTPS version of your site (
  • The second <VirtualHost> block listens on port 443 (HTTPS) and includes the SSL certificate configurations.

Make sure to replace with your actual domain in both places.

With this setup, any HTTP requests to your site will be automatically redirected to the secure HTTPS version.

Step 4: Enable SSL and Restart Apache

Enable the SSL module for Apache and restart the server to apply the changes:

sudo a2enmod ssl
sudo systemctl restart apache2

Step 5: Set up Auto-Renewal (Optional but recommended)

Let’s Encrypt certificates are valid for 90 days, so it’s a good practice to set up automatic renewal. Certbot can handle this for you through a cron job.

The renew --dry-run command is used to simulate the renewal process of Let’s Encrypt SSL certificates managed by Certbot, without actually making any changes to the certificates or contacting the Let’s Encrypt server.

The “–dry-run” flag ensures that the renewal process is tested in a safe environment, allowing users to verify that the renewal configuration is correct and that the renewal would be successful when executed in a real scenario. This helps prevent potential issues with renewal, such as misconfigurations or rate limits, and allows users to address any problems before the actual renewal is performed automatically through scheduled cron jobs.

sudo certbot renew --dry-run

If the dry-run is successful, add a cron job to renew the certificates automatically:

sudo crontab -e

Add this line to schedule the renewal process daily, but Certbot will only renew the certificate if it is within 30 days of expiration (Let’s Encrypt certificates typically expire after 90 days):

0 0 * * * certbot renew --quiet

This cron schedule runs the command at midnight (0:00) every day. The certbot renew --quiet command checks for expiring certificates and renews them if necessary. The --quiet flag suppresses unnecessary output, making the cron job less verbose.

Save the changes and exit the text editor.

Step 6: Configure Firewall

When configuring a firewall for Certbot and Let’s Encrypt, it’s important to ensure that the necessary ports are open to allow communication between your server and the Let’s Encrypt servers. The default method used by Certbot for domain validation is the HTTP-01 challenge, which involves Let’s Encrypt making HTTP requests to your server.

Here are the ports you need to consider:

HTTP (Port 80)

Let’s Encrypt uses port 80 for the HTTP-01 challenge.

Ensure that your firewall allows incoming traffic on port 80.

HTTPS (Port 443)

If you are using the TLS-SNI-01 challenge (deprecated), you may also need to allow incoming traffic on port 443.

If you are using the HTTP-01 challenge and later redirecting to HTTPS, ensure that your HTTPS configuration is correct, and the firewall allows incoming traffic on port 443.

Example: UFW (Uncomplicated Firewall) Configuration

If you are using UFW on a Ubuntu-based system, you can open the necessary ports with the following commands:

sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw reload

Ensure that UFW is enabled:

sudo ufw enable

This configuration allows incoming traffic on ports 80 and 443, which are commonly used for HTTP and HTTPS traffic.

Example: iptables Configuration

If you are using iptables, you can use the following commands to allow traffic on ports 80 and 443:

sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
sudo service iptables save
sudo service iptables restart

Make sure to adjust the firewall configuration based on your specific setup and security policies. Always consider the principle of least privilege and only open the ports that are necessary for the services you are running.

That’s it! Your Apache server should now be configured with a Let’s Encrypt SSL certificate. Make sure to replace with your actual domain throughout the steps.

Hire us to handle what you want

Hire us through our Fiverr Profile and leave all the complicated & technical stuff to us. Here are some of the things we can do for you:

  • Website migration, troubleshooting, and maintenance.
  • Server & application deployment, scaling, troubleshooting, and maintenance
  • Deployment of Kubernetes, Docker, Cloudron, Ant Media, Apache, Nginx,  OpenVPN, cPanel, WHMCS, WordPress, and more
  • Everything you need on AWS, IBM Cloud, GCP, Azure, Oracle Cloud, Alibaba Cloud, Linode, Contabo, DigitalOcean, Ionos, Vultr, GoDaddy, HostGator, Namecheap, DreamHost, and more.

We will design, configure, deploy, or troubleshoot anything you want. Starting from $10, we will get your job done in the shortest time possible. Your payment is safe with Fiverr as we will only be paid once your project is completed.